Translate between Certificate Template Permissions and ActiveDirectoryRights enum

Question

I'm trying to generate a report containing details about all certificate templates published in my forest. One of the things I want to show in the report is what principals have Read, Write and Enroll permissions on each template.

In order to do that, I am pulling back each cert template from AD as a DirectoryEntry object via it's LDAP DN. From there, I am enumerating it's access rules & attempting to make a determination about each identity's permission based on the system.directoryservices.activedirectoryrights enumeration:

ActiveDirectorySecurity Sec = Entry.ObjectSecurity;  
foreach (ActiveDirectoryAccessRule AccessRule in Sec.GetAccessRules(true, true, typeof(NTAccount)))  
{  
		Identity = AccessRule.IdentityReference.ToString();  

            //I realize Read & Write are not exhaustive, but its accurate enough for my purposes.  
            bool Read = (AccessRule.ActiveDirectoryRights & ActiveDirectoryRights.GenericRead) != 0;  
            bool Write = (AccessRule.ActiveDirectoryRights & ActiveDirectoryRights.WriteProperty) != 0;  

            bool Enroll = (AccessRule.ActiveDirectoryRights & ActiveDirectoryRights.GenericExecute) != 0;  
 }  

I am seeing very inconsistent results, especially regarding enrollment. I thought maybe I could assume "GenericExecute" directly translated to "Enroll", but this does not seem to be the case. Is there any direct mapping? And bonus question, can I use this method to determine autoenroll permissions?

Answer 1

With PowerShell PKI module, you can do it easily:

Get-CertificateTemplate | Get-CertificateTemplateAcl

Access property will contain simplified ACL object (which is a wrapper around ActiveDirectoryRight class) which reflects the GUI. For example, here is how the output will look like:

PS C:\> Get-CertificateTemplate -name smartcarduserv2 | Get-CertificateTemplateAcl | select -expand access


CertificateTemplateRights : Read
Rights                    : Read
AccessControlType         : Allow
IdentityReference         : NT AUTHORITY\Authenticated Users
IsInherited               : False
InheritanceFlags          : None
PropagationFlags          : None

CertificateTemplateRights : Read, Write
Rights                    : Read, Write
AccessControlType         : Allow
IdentityReference         : SYSADMINS\Administrator
IsInherited               : False
InheritanceFlags          : None
PropagationFlags          : None

CertificateTemplateRights : Read, Write, Enroll
Rights                    : Read, Write, Enroll
AccessControlType         : Allow
IdentityReference         : SYSADMINS\Domain Admins
IsInherited               : False
InheritanceFlags          : None
PropagationFlags          : None

CertificateTemplateRights : Read, Write, Enroll
Rights                    : Read, Write, Enroll
AccessControlType         : Allow
IdentityReference         : SYSADMINS\Enterprise Admins
IsInherited               : False
InheritanceFlags          : None
PropagationFlags          : None

CertificateTemplateRights : Read, Enroll, Autoenroll
Rights                    : Read, Enroll, Autoenroll
AccessControlType         : Allow
IdentityReference         : SYSADMINS\Smart Card Users
IsInherited               : False
InheritanceFlags          : None
PropagationFlags          : None



PS C:\>

Answer 2

Hi,

Agree with Crypt32, you can install the module PSPKI to enable the following commands Get-CertificateTemplate and Get-CertificateTemplateAcl . It will be easier to manipulate the certificate template and its permissions via powershell commandlet

You can refer to the following link :

https://github.com/PKISolutions/PSPKI

Please don't forget to mark this reply as answer if it help you to fix your issue